Package org.forgerock.am.iot
Class IotAuthenticationNode
- java.lang.Object
-
- org.forgerock.am.iot.IotAuthenticationNode
-
- All Implemented Interfaces:
Node
public class IotAuthenticationNode extends Object
This node handles the authentication of things. It is responsible for collecting the authentication Proof of Possession or Client Assertion JWTs for a thing and verifying that the JWT`s claims and signature are valid, that the thing's identity exists and that it contains a valid conformation key. If authentication is successful then it will add the username and verified claims to the shared state. It will also modify the resulting session by adding a proof of possession restriction if that is enabled. Any requests accompanied by the resulting session token must be signed, and those signatures must be verified by the stored confirmation key.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
IotAuthenticationNode.AuthenticationOutcomeProvider
Defines the possible outcomes from this node.static interface
IotAuthenticationNode.Config
Configuration for the node.static class
IotAuthenticationNode.JwtAuthenticationMethod
The JWT authentication method used to verify the JWT presented for authentication.-
Nested classes/interfaces inherited from interface org.forgerock.openam.auth.node.api.Node
Node.Metadata
-
-
Field Summary
Fields Modifier and Type Field Description protected static Map<String,Boolean>
alwaysOnRegister
protected static Map<String,Boolean>
alwaysOnSuccess
protected org.forgerock.openam.core.CoreWrapper
coreWrapper
protected static String
FAILURE_OUTCOME
protected static String
JWT_ADDITIONAL_AUDIENCES_KEY
protected static String
JWT_CHALLENGE_KEY
protected static String
JWT_VERIFIED_CLAIMS_KEY
protected Realm
realm
protected static String
REGISTER_OUTCOME
protected static String
REQUIRES_TOKEN_RESTRICTION_KEY
protected static Map<String,Boolean>
sometimesOnSuccess
protected static String
SUCCESS_OUTCOME
-
Constructor Summary
Constructors Constructor Description IotAuthenticationNode(Realm realm, IotAuthenticationNode.Config config, org.forgerock.openam.core.CoreWrapper coreWrapper, LegacyIdentityService identityService, org.forgerock.am.iot.JwtProofOfPossessionVerifier.Factory popVerifierFactory, org.forgerock.am.iot.ClientAssertionVerifier.Factory assertionVerifierFactory, JwtBuilderFactory jwtBuilderFactory)
Create an instance of theIotAuthenticationNode
.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Optional<Action>
callbackRequired(TreeContext context)
protected String
createChallenge(TreeContext context)
protected Action
failureAction()
protected String
getChallenge(TreeContext context)
org.forgerock.openam.auth.node.api.InputState[]
getInputs()
Provide a list of shared state data a node consumes.protected SignedJwt
getJWT(TreeContext context)
protected SignedJwt
getJWT(TreeContext context, String callbackId)
org.forgerock.openam.auth.node.api.OutputState[]
getOutputs()
Provide a list of shared state data a node provides.Action
process(TreeContext context)
Performs processing on the given shared state, which holds all the data gathered by nodes that have already executed as part of this authentication session in the tree.protected Action
successAction(org.forgerock.am.iot.VerifiedClaimSet verifiedClaims, TreeContext context, boolean requiresTokenRestriction)
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.forgerock.openam.auth.node.api.Node
getAuditEntryDetail
-
-
-
-
Field Detail
-
JWT_CHALLENGE_KEY
protected static final String JWT_CHALLENGE_KEY
- See Also:
- Constant Field Values
-
JWT_VERIFIED_CLAIMS_KEY
protected static final String JWT_VERIFIED_CLAIMS_KEY
- See Also:
- Constant Field Values
-
JWT_ADDITIONAL_AUDIENCES_KEY
protected static final String JWT_ADDITIONAL_AUDIENCES_KEY
- See Also:
- Constant Field Values
-
REQUIRES_TOKEN_RESTRICTION_KEY
protected static final String REQUIRES_TOKEN_RESTRICTION_KEY
- See Also:
- Constant Field Values
-
SUCCESS_OUTCOME
protected static final String SUCCESS_OUTCOME
- See Also:
- Constant Field Values
-
FAILURE_OUTCOME
protected static final String FAILURE_OUTCOME
- See Also:
- Constant Field Values
-
REGISTER_OUTCOME
protected static final String REGISTER_OUTCOME
- See Also:
- Constant Field Values
-
realm
protected final Realm realm
-
coreWrapper
protected final org.forgerock.openam.core.CoreWrapper coreWrapper
-
-
Constructor Detail
-
IotAuthenticationNode
@Inject public IotAuthenticationNode(Realm realm, IotAuthenticationNode.Config config, org.forgerock.openam.core.CoreWrapper coreWrapper, LegacyIdentityService identityService, org.forgerock.am.iot.JwtProofOfPossessionVerifier.Factory popVerifierFactory, org.forgerock.am.iot.ClientAssertionVerifier.Factory assertionVerifierFactory, JwtBuilderFactory jwtBuilderFactory)
Create an instance of theIotAuthenticationNode
.- Parameters:
realm
- the realm in which to create the node.config
- the node configuration.coreWrapper
- wrapper for abstracting core AM functionality.identityService
- an instance of the IdentityService.popVerifierFactory
- factory for creating JwtProofOfPossessionVerifier.assertionVerifierFactory
- factory for creating ClientAssertionVerifier.jwtBuilderFactory
- factory for creating JwtBuilder.
-
-
Method Detail
-
callbackRequired
protected Optional<Action> callbackRequired(TreeContext context)
-
getInputs
public org.forgerock.openam.auth.node.api.InputState[] getInputs()
Description copied from interface:Node
Provide a list of shared state data a node consumes. AnInputState
consists of a property name and an "isRequired" flag. The IsRequired flag indicates whether the input is required in order for the node to function. If the flag is false this indicates that the node will consume this data if it is present but it is not required for the node to function. Example: public InputState[] getInputs() { return new InputState[] { new InputState(IDENTITY), new InputState("foo", false) }; } In this example the node declares that it requires state to contain a property named IDENTITY and that it will consume a property named "foo" if it is present. If "foo" is not present then the node will still function but may be skipping some functionality. This list is used to ensure that state data, both shared and transient, from upstream nodes is left intact for this node to access. If inputs are not declared there is no guarantee that the data needed by the node will still be present in state when the node executes. This list is also used for tree validation to report errors in tree construction.- Returns:
- The list of shared state data.
-
getOutputs
public org.forgerock.openam.auth.node.api.OutputState[] getOutputs()
Description copied from interface:Node
Provide a list of shared state data a node provides. AnOutputState
consists of a property name and a map of node outcomes to a flag indicating whether that outcome is guaranteed to produce that property in state. Any given output may be provided for all outcomes or any subset of outcomes and perhaps only optionally for some of them. Example: public OutputState[] getOutputs() { return new OutputState[] { new OutputState(PASSWORD), new OutputState(config.mode(), singletonMap("*", false) }; } In this example we declare that the node will produce an output named PASSWORD. The lack of an outcome map indicates that this output is provided for all outcomes. The node also outputs a property named via config.mode() that is optional for all of the node's outcomes, i.e. it may or may not be present for downstream nodes to consume. This type of output is best consumed by other nodes by declaring an InputState such as new InputState(config.mode(), false). This list is used by tree validation to report errors in tree construction.- Returns:
- The list of shared state data.
-
process
public Action process(TreeContext context) throws NodeProcessException
Description copied from interface:Node
Performs processing on the given shared state, which holds all the data gathered by nodes that have already executed as part of this authentication session in the tree.This method is invoked when the node is reached in the tree.
- Specified by:
process
in interfaceNode
- Parameters:
context
- The context of the tree authentication.- Returns:
- The next action to perform. Must not be null.
- Throws:
NodeProcessException
- If there was a problem processing that could not be resolved to a single outcome.
-
createChallenge
protected String createChallenge(TreeContext context)
-
failureAction
protected Action failureAction()
-
successAction
protected Action successAction(org.forgerock.am.iot.VerifiedClaimSet verifiedClaims, TreeContext context, boolean requiresTokenRestriction) throws Exception
- Throws:
Exception
-
getChallenge
protected String getChallenge(TreeContext context) throws NodeProcessException
- Throws:
NodeProcessException
-
getJWT
protected SignedJwt getJWT(TreeContext context) throws NodeProcessException
- Throws:
NodeProcessException
-
getJWT
protected SignedJwt getJWT(TreeContext context, String callbackId) throws NodeProcessException
- Throws:
NodeProcessException
-
-